This March 15 photo shows Army Private Bradley Manning following a hearing at Fort Meade in Maryland. Manning is accused of the biggest leak of official secrets in U.S. history. (AFP)
The White House’s long-awaited insider threat policy, announced two weeks ago, is likely to usher in some noticeable and not-so-noticeable changes at many federal workplaces:
Most employees’ workplace activities will be monitored, by both colleagues and technology. In many cases, that’s already happening.
They also will be asked to monitor their peers for anomalous behavior, such as showing a disregard for information security rules or voicing hostile intentions against the government.
So should employees expect this policy — intended to stop damaging information leaks and violence from disgruntled insiders — to add an unwelcome layer of paranoia and privacy infringement in the workplace?
Federal experts familiar with the new policy say it shouldn’t if it is well-executed and employees and managers are well-trained.
“We stress reporting in a positive light, not a negative light,” said Jim Stuteville, the Army’s senior adviser for counterintelligence operations, who is familiar with the White House’s new policy.
Details of exactly how the White House policy will work have not been released.
Stuteville said the focus of the Army’s insider threat program, which he touts as a model for other agencies to follow, is on behavioral indicators, not a certain religion or acts tied to a religion.
Stuteville said the Army revised its insider threat regulations after the November 2009 shooting at Fort Hood, Texas, in which an Army psychiatrist who harbored radical Islamist sympathies killed 13 people and injured 29.
And the White House issued last month’s policy largely in response to the 2010 scandal in which Army Pfc. Bradley Manning is suspected of stealing and leaking large volumes of classified and sensitive materials to the website Wikileaks.
“You can’t suffer what we suffered at Fort Hood and WikiLeaks and sit around and do nothing,” Stuteville said.
Since October 2011, the Army has briefed more than 300,000 military and civilian personnel on insider threats and has seen a 30 percent increase in reporting, which can be done anonymously, over nine months. Less than half of those reports triggered investigations.
The co-chairs of the interagency task force that formulated the new White House policy did not respond to repeated requests for an interview.
The Nov. 21 policy specifically calls on all agencies to develop programs to thwart internal threats, including espionage, violent acts against the government, and unauthorized disclosures of classified information and sensitive data on government computer networks and systems. Specifically, agencies are expected to:
Integrate and centrally analyze and respond to threat-related information.
Monitor employees’ use of networks with access to classified and sensitive data and materials.
Train employees on what the threat is and how to identify and report potential insider threats.
Most agencies already have some form of insider threat program in place, which often includes both electronic and employee behavioral monitoring and reporting.
“We can use all the automated tools that we have in the world to look at people’s interactions, but it comes down to employees taking care of their own,” said Deanna Caputo, lead behavioral psychologist at Mitre Corp. “The first line of defense is your people.”
The challenge of doing it right
Experts say the success of the program will depend largely on the quality of training and amount of transparency that accompanies it.
For instance, employees must be clearly trained on what to report and whom to report to, said Harley Stock, a board-certified forensic psychologist at the Florida-based Incident Management Group. Some organizations have hotlines for employees to call in a report and employee assistance programs that can mitigate personal problems before they escalate.
One challenge in implementing the new standards is in how agencies treat and respect employees’ civil liberties and privacy rights, which President Obama mentioned in his memo to carry out the policy.
It is unclear how agencies will do that. One former government official said agencies must limit the scope of their monitoring activity to be no broader than necessary to manage the perceived threat.
But unless those boundaries are clearly defined, agencies will ultimately have much discretion and employees will be understandably skeptical over the ability of their agencies to prevent abuses.
Experts agree there is a fine line between an effective program that encourages employees to report abnormal behaviors to management and a counterproductive program that leads to over-reporting and erodes trust among the workforce.
Ed Kanerva, a vice president at Booz Allen Hamilton, said agencies have to be upfront with employees about what behavior is not acceptable and make them aware that monitoring is enforced to ensure that rules are followed. It’s like a social contract, Kanerva said.
“You have to instill in the employee that this is part of the business, and it is the price of doing business for the government or company,” he said.
The Army’s insider threat policy notes that a single type of behavior doesn’t mean someone is a threat, but reporting the suspicious behavior at least enables agents to assess the threat.
The Army’s policy lists several behavioral indicators that employees should be watchful for in their peers. They include a disregard for security practices, discussing classified information in unauthorized locations, attempts to befriend other employees to help obtain classified data and repeatedly doing work not required outside of normal hours.
Dawn Cappelli, technical manager of the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute, said the main focus of peer-to-peer reporting “isn’t necessarily specific behaviors but changes that may be significant.”
If a person was struggling financially and is suddenly going on lavish vacations and wearing expensive jewelry, “that may be worth reporting,” she said.
“It’s more [about] raising awareness to the types of things that should be reported,” said Cappelli, who analyzes hundreds of insider threat cases in the public and private sectors.
She cited one example in which a government employee — on the verge of being fired — planted malicious code on his agency’s computer system in retaliation. Before leaving work for the weekend, he told a co-worker, “You’re going to see fireworks on Monday.” The co-worker alerted his immediate boss, which triggered calls up the management chain to disable the code before it took down the entire system.
“That one person could have just gone home and not told anyone,” Cappelli said.
There is a difference between a person who is deeply disgruntled and someone who is upset because he was overlooked for a promotion, said Mitre’s Caputo.
It’s normal and even healthy for people to vent after a disappointing or troubling event, but they likely are not coping well if they’re upset and fixated on an incident for an extended time, she said. Their attitude may not improve for several months, and their work attendance may become inconsistent.
“You can report that,” Caputo said. People who feel they’ve been treated unjustly complain to somebody. If they don’t think a system is fair, they don’t mind breaking the rules. They lose respect for the system and the organization’s rules.
The goal is to identify people before they get to that point, she said.
But some question the effectiveness of peer reporting because employees may be reluctant to report a colleague out of fear of retaliation or of tarnishing the career of a colleague with whom they work closely or may be friends.
Some agencies have also enlisted technology to monitor employees’ keystrokes and take snapshots of employees’ computer screens.
But there are dangers in monitoring employees.
The Food and Drug Administration is at the center of a legal battle and investigation by the Office of Special Counsel to determine whether the agency broke the law by extensively monitoring the online activities of whistle-blowers.
FDA employed sophisticated spying software that can record virtually everything employees do at their workstation. By capturing the employees’ keystrokes, FDA gained access to their email passwords, bank account information and even legally protected communications. Eventually, some 80,000 pages of information that FDA collected from the targeted employees — some of which was personal information — ended up in the possession of a contractor, Quality Associates Inc. of Fulton, Md., which posted the information online.
It is unclear from what the White House released publicly exactly what computer activity by federal employees can be monitored and stored and who will make decisions about its collection and storage.